The impact of this issue announcement is high. Please act accordingly to rectify the issue, as stated below.
Secret Server 10.9.x or below
What you need to know:
Thycotic has released a security update to resolve an SQL injection vulnerability that an authenticated administrative user could exploit to achieve remote code execution on the Secret Server host system.
Secret Server Cloud has been updated to include this security fix.
The following bug fixes apply to non-cloud Secret Server only. Those who are using the hosted product are not affected by this vulnerability.
Actions to be taken:
Thycotic encourages all customers to upgrade at the earliest opportunity.
What is the impact of not doing the actions?
Secret Server Cloud has not been updated to include these fixes:
- Fix to Discovery rules to correctly handle OUs with bracketed names.
- Secret names in reports are now links to the corresponding secret.
- Logout from Secret Server no longer sends the Clear-Site-Data header, which could previously log users out of unrelated Web applications.
- SSH connections via SSH proxy now close correctly.
- Fixed an SSH proxy connection timeout when connecting via a distributed engine.